Case Studies

SAP_ALL Authorization Profile Misuse

Scenario

A request for the SAP_ALL authorization profile has been submitted via the helpdesk system for a user (this could also be a firefighter account). The system administrator who granted the authorization forgot to set an expiration date. Normally, SAP_ALL authorization should only be granted for one day, but the firefighter user has been using it for a week. During this time, the user intentionally accessed payroll tables and assigned new roles to other users.

A002 Critical Profile HistoryA003 Critical Profile UsersA004 User Master Record Changing +2 more

Case Study #002.01

Brute Force Attack on Predefined Accounts

Scenario

A brute force attack (password guessing or cracking) is being carried out on user accounts via the SAProuter from an external network. The goal of the attack is to compromise the passwords of critical predefined accounts such as DDIC, SAP*, and TMSADM. For this purpose, a password cracking attempt has been initiated.

A005 Password Change ActivitiesP005 Standard User PasswordP009 Unsuccessfull Login Attempts +1 more

Case Study #003.01

Critical RFC Authorization Vulnerability

Scenario

An authorization personnel decided to create a new role for a request involving an RFC connection. In the role they created, they added the S_RFC authorization object. However, by assigning * to the parameters of the S_RFC object, they caused a security vulnerability.

A009 RFC AuthorizationA016 Last Created RolesA022 Last Modified Roles +1 more

Case Study #003.02

HR Module Authorization Vulnerability

Scenario

An authorization personnel accidentally created a role for an employee by assigning critical-level parameter values to the P_ORGIN and P_ORGINCON authorization objects, which control access to infotypes in the Human Resources module.

A009 RFC AuthorizationA016 Last Created RolesA022 Last Modified Roles +1 more

Case Study #004.01

System Authorization Profile Misuse

Scenario

The S_A.SYSTEM authorization profile has been assigned to a newly created user.

A002 Critical Profile HistoryA003 Critical Profile UsersA004 User Master Record Changing +1 more

Case Study #005.01

Inactive User Account Reactivation

Scenario

A malicious user has reactivated an inactive user account belonging to an employee who has not used the system for a long time by unlocking it.

A020 Operations On User AccountsA004 User Master Record Changing

Case Study #006.01

Weak Password Length Configuration

Scenario

The login/min_password_lng parameter in the SAP system is set to '6'.

P001 Password Parameters Check

Case Study #006.02

Insecure Password Configuration

Scenario

The login/no_automatic_user_sapstar parameter is set to '0'.

P001 Password Parameters CheckP005 Standard User PasswordP002 Password Exception List

Case Study #007.01

External Program Authorization Risk

Scenario

A Java program connecting to the SAP system retrieves and processes certain data. The user created for this connection has been assigned the SAP_ALL authorization. Users who gain control of this program could exploit it to make critical RFC calls, access sensitive data, and manipulate the data through the program.

P004 RFC User TypesA018 Critical RFC CallsS010 Gateway Active Connections

Case Study #008.01

Password Hash Code Theft Prevention

Scenario

A malicious user who has infiltrated the system with a user account attempts to obtain password hash codes and use Hashcat or similar tools to crack the passwords.

P010 Password Hash Code CheckK008 Password Hash Table Display LoggingK004 Data Download Logs

Case Study #009.01

Security Audit Log Disabled

Scenario

The Security Audit Log (SAL) has been disabled by a malicious user who infiltrated the system, using RSAU_CONFIG or the SM19 transaction code.

K001 System Log ActivationS007 System(statick) Param Change Activity

Case Study #010.01

Debug Authority Check Bypass

Scenario

A malicious user exploits a program vulnerability to infiltrate the system and attempts to bypass AUTHORITY-CHECK using debugging in a live system to escalate their privileges.

A008 Development Debug Auth.T001 Debug and Change ActivityT009 Request Import History +2 more

Case Study #011.01

Insecure ABAP Code Detection

Scenario

An ABAP developer, who is not familiar with SAP security best practices, includes a code block in a program that could create a security vulnerability. A user who is aware of these vulnerabilities may attempt to exploit them.

T004 Code Inspector GEN_SAP_POOLT005 Code Inspector CALL_SYSTEM_CMDT006 Code Inspector CONCAT_SELECT +2 more

Case Study #012.01

HANA Backup Failure Detection

Scenario

A HANA database backup was either canceled by malicious users or failed due to a routine error, resulting in no backups being taken for 10 days.

B003 Recent Hana Backup Check

Case Study #013.01

Dynamic Parameter Manipulation

Scenario

A malicious user activated the dynamic parameter sapgui/user_scripting in the system and executed a harmful MS Excel macro.

S008 System(Dynamic) Param Change History

Case Study #014.01

RSBDCOS0 Program Misuse Prevention

Scenario

A malicious user, who has authorization to run the RSBDCOS0 program, attempts to delete files by executing the rm -rf command on a Linux-based application server in order to damage the system.

S012 RSBDCOS0 Report Execution Logs

Case Study #015.01

Critical Security Note Compliance

Scenario

A critical SAP note, CVE-XXX, with a security score of 9.8, was published the previous night. Hackers and attackers are attempting to exploit the vulnerability described in the note to infiltrate the system.

C001 Installed ComponentsC002 OS SAP KernelC003 Cryptolib Vulnerabilities

Case Study #016.01